Is critical infrastructure the next DDoS target?

A massive Distributed Denial of Service attack shut down a portion of the internet recently. Experts say it is unlikely a similar attack could take down the grid or other critical infrastructure but acknowledge that security remains weak in the industry

Kantor added that there are a number of US utility companies, along with industry research and trade associations that include the Electric Power Research Institute and the Utilities Technology Council, “that are supporting an amendment to an existing wireless communications standard to address reliability, coverage and security concerns of critical infrastructure networks or what they refer to as Field Area Networks (FANs).”

Lee also said he has seen an encouraging focus on security. “I've seen some critical infrastructure companies, such as in energy, that are extremely well prepared and could have detected targeted threats that have attempted to breach their organizations.

“As a community we need to ensure that this isn't the 5 percent of the community and is more widespread. But there are great successes,” he said.

But he acknowledged that vendors of ICS equipment are selling in a global market, where security pressures are not as great as in the US. And, as has been widely reported, large generators and other ICS equipment can cost well into six figures, cannot be easily retrofitted with security and are meant to last for 25 years or more.

The reality is that the ICS industry has a long way to go,” he said.

Gumbs agreed. “Security hasn’t always been viewed as a priority,” he said. “They don’t have the skills needed to keep up with attackers. They don’t have ability to hire or retain talent.

“It isn’t trivial to detect a sophisticated attack and it requires a large amount of people, skill and technologies in place to properly defend against them. Because the industry is just now prioritizing security, it will take some time before they can provide a formidable defense against sophisticated cyberattacks.”

Of course, a DDoS is not considered a sophisticated attack. It could still cause some significant disruption – Devost noted that, “if millions of IoT thermostats in homes and smart grid devices in commercial buildings are compromised and ask for maximum AC on a day in which there is excess demand in the grid, what would the impact be?”

Security hasn’t always been viewed as a priority.

Gabe Gumbs, vice president of product strategy, Spirion

But Gumbs said he thinks CI in the US is resilient enough to respond to such an attack without catastrophic disruption.

“A cyberattack on the scale that we’re talking about could be compared to a natural disaster, maybe,” he said, “and we’ve shown that we are fairly resilient when facing hurricanes, floods, earthquakes and more.”

He said a crash of the financial system would be worse. “This would undermine the trust we have in walking to an ATM and withdrawing cash, even paying for provisions if we were in an actual disaster.”

Kantor said he believes most utilities take security seriously. But he acknowledged that, “given the size and scope of the electric utility industry – there are more than 3,300 electric utilities in the contiguous US distributed over three million square miles – there are many areas of vulnerability, both physical and remotely.

“Infiltrating the critical communications infrastructure is the easiest and most anonymous way to cause major disruption. We’re now facing a world where hackers are getting smarter and hacker communities exist where knowledge and advancements in DDoS code is shared.”

We’re now facing a world where hackers are getting smarter and hacker communities exist where knowledge and advancements in DDoS code is shared.

Stewart Kantor, CEO, Full Spectrum

So, lowering the threat of a DDoS against utilities or other CI may require an improvement in IoT security. And some experts say the market won’t do it – that it will take a push from government.

Schneier, in his recent post, said there is, “a market failure at work” when it comes to IoT security, because neither the sellers nor the buyers of devices really care about it.

“It’s a form of invisible pollution,” he wrote, “and, like pollution, the only solution is to regulate,” with things like minimum security standards and/or making it easier to sue manufacturers if their products are used in DDoS attacks.

“The details would need to be carefully scoped, but either of these options would raise the cost of insecurity and give companies incentives to spend money making their devices secure,” he wrote.

Latest Videos

Hear from Invictus Games Sydney 2019 CEO, Patrick Kidd OBE and Head of Technology, @James-d-smith -share their insights on how they partnered with Unisys to protect critical data over an open, public WiFi solution.

With so much change all the time, how can executives best prepare their businesses to meet the security challenges of the coming years? CSO Australia, in conjunction with Mimecast, explored this question in an interactive Webinar that looks at how the threat landscape has evolved – and what we can expect in 2019 and beyond.

According to new research conducted by the Ponemon Institute, Australia and New Zealand have the highest levels of data breaches out of the nine countries investigated. This was linked to heavy investment in security detection and an under-investment in security and vulnerability response capabilities

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.